[ieee 2012 international conference on ict convergence (ictc) - jeju, korea (south)...
TRANSCRIPT
![Page 1: [IEEE 2012 International Conference on ICT Convergence (ICTC) - Jeju, Korea (South) (2012.10.15-2012.10.17)] 2012 International Conference on ICT Convergence (ICTC) - Prediction model](https://reader036.vdocument.in/reader036/viewer/2022080421/5750a4dd1a28abcf0cad9b5d/html5/thumbnails/1.jpg)
Prediction Model for Botnet-based Cyber Threats
Sun-Hee LimCyber Security-Convergence Research Laboratory
Electronics and Telecommunications Research Institute
Daejeon, Korea
Email: [email protected]
Seunghwan YunCenter for Information Security Technologies
Korea University
Seoul, Korea
Email: [email protected]
Jong-Hyun Kimand Byung-gil Lee
Electronics and Telecommunications
Research Institute
Email: {jhk, bglee}@etri.re.kr
Abstract—Recent malicious attempts in Cyber-space are in-tended to emerge cyberwar such as stuxnet as well as to getfinancial benefits by spam, distributed-of-service(DDoS), identitytheft, and phishing through a large pool of comprised hosts,which are called zombies. Botnets are becoming one of the mostserious threats to Internet security. We consider that major pre-symptoms of cyber threats are activity and propagation of botnetand propose the prediction model of cyber threats based onbotnets.
Keywords—botnet, DDoS, security, threat, prediction
I. INTRODUCTION
Cyber threats such as Stuxnet which can occur national
risk as well as extortion or collection of personal information
from a third party for misuse, seeking of financial profit by
spreading pornographic, commercial mails to random people,
or incapacitating of service of information machine of a
competitor have unfortunately become common practice and
are performed over 60% through a botnet [1].Many botnet-based detection technologies have been ac-
tively proposed in previous studies [2][3][4].It is necessary to research on quantifying and predicting
botnet-based cyber threats in addition to their detection meth-
ods according to botnet’s characterization such as protocol,
architecture, signature, and so on.Recent early warning/forecasting techniques have been stud-
ied in Threat Management System (TMS) and Risk Man-
agement System (RMS) technologies to previously detect
cyber threats and to provide guidelines for the criteria of
security policy and countermeasures. TMS/RMS technologies
are emerging as efficient alternatives that overcome the disad-
vantage of existing security solutions. However, the TMS/RMS
focus on forecasting/warning techniques based on information
of attack situations that has been already occurred. There-
fore, it is difficult to differentiate between the TMS/RMS
technologies and existing security solution. Furthermore, it is
difficult to utilize the TMS/RMS technologies as a solution
that previously recognizes the threat situation before the actual
attack.We consider that major pre-symptoms of cyber threats are
activity and propagation of botnet and propose the prediction
model for cyber threats based on botnets in this paper.
II. RELATED WORK
A. Growth of BotnetBotnet refers to a network of a plurality of computers that
are infected by a malware code, i.e bots. A great many com-
puters, zombies are infected by bots, and remotely controlled
by a botmaster having an authority. Zombies are connected to
a command and control (C&C) server that issues commands
and control instructions through a network, so they perform
various malignant activities.
An initial stage of botnet is mainly a centralized structure
and uses an Internet Relay Chat (IRC) protocol. In the botnet
having a centralized structure, since one C&C server com-
mands and controls a plurality of zombies, it is easy to detect
and block the C&C server. Detection and defense of one C&C
server results in a big damage, because a plurality of zombies
are lost. Therefore, botnet is evolved to a distributed command
and control method, that is, peer-to-peer (P2P) botnet that
allows the all of zombies to be C&C server. In addition, the use
of HTTP, web protocol, makes it more difficult to detect the
C&C server and cope with attacks. Furthermore, the evolved
botnets use the Domain Name System (DNS) to communicate
with the C&C server and zombies because a fixed IP address
allocation of the C&C server can be easily blocked by IP
tracking. As a more advanced method for evasion of C&C
server detection, a Dynamic DNS (DDNS) service or Fast-
Flux technology maps a domain name to IP addresses and
continuously changes IP address [2].
B. Prediction of Network Threats
Intrusion Detection System (IDS) and Intrusion Protection
System (IPS) are mainly based on identification, detection,
reporting and prevention of threats and attacks. However,
attacks and intrusions are identified and blocked only after
the attacks inflict serious damage [5]. In Information security
field, a future trend outlook with an increasing number of
attacks, the risk degree of malware code and attack occur-
rence probability such as weather forecast, may influence
the decisions concerning the security provision before the
incidents happen. Forecast techniques for predicting increase
or decrease of the attacks may be obtained by using time series
analysis, the hidden Markov model or the Bayesian Inference.
However, it is impossible to find correlations of features
for forecast technologies in Information security field but in
Meteorology in reality. Furthermore, it is difficult to define
the threshold value, the commencement of attack because
forecast technology using Bayesian Inference calculates the
conditional probability based on past-observed event counts
or attack event [6]. That is to have the problem of indefinite
criteria between before and after attack happens.
340978-1-4673-4828-7/12/$31.00 ©20122 IEEE ICTC 2012
![Page 2: [IEEE 2012 International Conference on ICT Convergence (ICTC) - Jeju, Korea (South) (2012.10.15-2012.10.17)] 2012 International Conference on ICT Convergence (ICTC) - Prediction model](https://reader036.vdocument.in/reader036/viewer/2022080421/5750a4dd1a28abcf0cad9b5d/html5/thumbnails/2.jpg)
III. BOTNET-BASED PREDICTION MODEL
This paper proposes prediction model that can estimate
the degree of botnet-based threats by monitoring botnet’s
size, activity, and propagation in the whole area, unlike the
prediction model of existing research based on time series
analysis.
A. Botnet Detection
1) Monitoring Group Activities in DNS traffic: The pa-
per [2] proposed a botnet detection mechanism by monitoring
DNS traffic. Here, the characteristics of the botnet are source
IP, connection activity, and patterns, that accesses to C&C
server. In botnet, fixed clients approach to C&C server, and in
particular situations, traffic will increase drastically in a group
activity. Usually, the use of DDNS is classified as the abnormal
behavior. In contrast, patterns of the DNS traffic which the
normal users approach into the specific domain name are not
well defined. It is universal, random, and a continuous action.
2) BotSniffer and BotMiner: BotSniffer [3] is designed
mainly for detecting C&C activities with centralized servers,
protocols such as IRC and HTTP. However, the aforemen-
tioned detection approaches designed for IRC or HTTP based
botnets may become ineffective because botnets are evolving
and can be quite flexible. In order to solve this problem,
BotMiner [4] proposed a general detection framework that
is independent of botnet C&C protocol and structure, and
requires no a priori knowledge of botnets.
B. Prediction Model for the Threats Estimation
We define the prediction model for estimating the degree of
real active botnet-based threats by monitoring botnet activity,
size, and behavior.
We define C&C server Set S, Active Botnet Set B, and
Active Zombies Set ZCi , as following.
S={(Ci,Di)|Ci: C&C server and Di: detection time, i>=0}
B={(Ci,ZCi)|Ci∈S and ZCi
: Active Zombies Set, 0≤i≤|S|}ZCi
={(zij ,fij ,eij)|zij : zombie IP and fij : frequency, eij∈E, 0≤j≤Bsize}
Let Bsize be the number of zombies of all ISP domains which
access the corresponding C&C server.
Bsize=∑|S|
i=1 Csizei , Csize
i =|ZCi|, Ci∈S
Let Bfrequency be the number of signaling times between
C&C server and zombies in order to consider that C&C server
may command and control zombies frequently in order to
confirm whether zombies are alive or not, keep-alive message
before botmaster try to attack.
Cfrequencyi =
(∑|ZCi|
j=1 fij
)/|ZCi
|
Bfrequency=(∑S
j=1 C frequencyi )/|S|
Set of the ISP Domain
ISP={Di|Di is the element of the ISP Domain, i>1}
BPDi
=∑|S|
i=1 |(ZCi∈Di)|, Ci∈S, Di∈ISP
A is the type of activity such as scanning or spamming,
ω(A) >= 1 is an activity weight assigned to A. ω(A) assigns
higher values to "strong" activities (e.g., spam and exploit) and
lower values to "weak" activities (e.g., scanning and binary
download) [4].
Let ω(A) be ω(none) = 1, ω(scan) = 2,
ω(binary download) = 3, ω(spam) = 4, and ω(exploit) = 5in order to reflect other parameters in case that zombies are
inactive.
Finally, degree of threat (DT ) defines DT=∑|S|i=1 ωi(A)Csize
i (Cfrequencyi /Bfrequency) and degree of threat of
ISP Domain VISP=(BPDi
/Bsize)<1. A ISP is weaker if VISP
approaches to 1. Fig. 1 depicts DT as the volume of boxes.
Fig. 1. DT : The Diagram of Forecasting Model
IV. CONCLUSION
Botnets is one of the most serious threats and we consider
botnets as major pre-symptoms of cyber threats. We monitor
botnets, communication with C&C server and zombies, and
measure the degree of possible domain’s threats through
botnets activity.
ACKNOWLEDGMENT
This paper has been supported by the Software R&D programof KCC. [2012/10912-06002, Development of global collaborativeintegrated security control system]
REFERENCES
[1] http://en.wikipedia.org/wiki/Botnet[2] H. Choi, H. Lee, H. Lee,H. Kim, Botnet detection by monitoring group
activities in DNS traffic, in Computer and Information Technology, 2007.CIT 2007. 7th IEEE International Conference on, 2007, pp. 715-720.
[3] G. Gu, J. Zhang, W. Lee, BotSniffer: Detecting botnet command andcontrol channels in network traffic, in Proceedings of the 15th AnnualNetwork and Distributed System Security Symposium (NDSS’08), 2008.
[4] G. Gu, R. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis ofnetwork traffic for protocol-and structure-independent botnet detection,in Proceedings of the 17th conference on Security symposium, 2008, pp.139-154.
[5] E. Pontes, A. E. Guelfi, IFS–Intrusion Forecasting System Based onCollaborative Architecture, ICDIM 2009, 217-222.
[6] C. Ishida, Y. Arakawa, I. Sasase, Forecast Techniques for PredictingIncrease and Decrease of Attacks Using Bayesian Inference, IEEEPACRIM, 2005, pp 450-453.
341